XML Threat Protection Policy
The xml-threat-protection policy protects APIs against malicious XML payloads by validating limits specified in the XML structures, including elements, entities, attributes, and string values. When a payload exceeds any configured structural limit, the policy rejects the request with a 400 status code and a relevant response string.
Description
-
Configured limits apply to XML element count, nesting depth, document length, attributes per element, attribute value length, children per element, text value length, entity expansion count, and entity expansion depth. External entity resolution is controlled separately by the
allowExternalEntitiesboolean property, which defaults tofalse. -
When any configured limit is exceeded, the gateway blocks the request and returns a
400response. The backend does not receive the request. -
The following conditions trigger a rejection:
-
The XML payload is malformed or syntactically invalid.
-
An XML document contains more elements than the configured
maxElementslimit. For example, ifmaxElementsis set to10and an incoming document has11elements, the policy rejects the request. -
The XML nesting depth exceeds the configured
maxDepthlimit. For example, ifmaxDepthis set to5and a document has 6 levels of nested elements, the policy rejects the request. -
The total document length exceeds the configured
maxLengthcharacter limit. -
An XML element contains more attributes than the configured
maxAttributesPerElementlimit. -
An attribute value exceeds the configured
maxAttributeValueLengthcharacter limit. -
An element contains more child elements than the configured
maxChildrenPerElementlimit. -
A text node value exceeds the configured
maxTextValueLengthcharacter limit. -
The number of entity expansions exceeds the configured
maxEntitieslimit. -
The depth of nested entity expansions exceeds the configured
maxEntityDepthlimit. -
The XML document contains an external entity reference, and
allowExternalEntitiesis set tofalse(the default).
-
